Do I need child domains in AD?

active-directory subdomain organizational-unit
12,767

Solution 1

No, almost certainly not. Unless you have political pressure in terms of one administrator effectively having access to everything, then stick to one domain. There are arguments with regard to the same DNS namespace being used, which might not suit a multi-branded multinational, but sounds like this isn't an issue for you. Again, this is all bollotics. In terms of scalability, AD now scales very well. Replication can be controlled quite nicely too. Things have moved on since Windows 2000 Server.

Flipping the question on its head, multiple domains increase operational overheads (from day-to-day user/group management, auditing, securing AD backups, proving recovery, Etc.), but also introduces the potential for configuration inconsistencies across domains.

Single domain... the way forward.

In terms of DC placement, don't get tooooo carried away with Microsoft's two-DCs per site model. Look at your WAN links, and more specifically, triangulation into sites. If you have redundant links, and the MTBF on those links is high, then don't over-engineer unnecessarily. I don't know how big / autonomous your schools are. However, if the latency on your links is high, then perhaps on-site DCs will be necessary. This whole argument comes down to the service level that your WAN gives you. You can always add additional DCs if required. Taking them away isn't quite as straightforward (experience vs theory).

Also, don't forget about Read Only Domain Controllers (RODCs), which work beautifully on server core. This might not be relevant for you, as it sounds like your schools are quite autonomous, but if you, for example, had a smaller school, which didn't / couldn't do its own user management, then an RODC would be fantastic.

In summary, get your bollotics nailed, then get a WAN survey sorted.

Solution 2

Generally speaking, you should always try to have as flat a domain structure as possible, preferably a single domain. Partitioning into domains should have clear business drivers, as there are few technical reasons for "architecting" an Active Directory system this way. Multiple domains create complexity that can be daunting when issues occur. Domains have trusts that can break, and that wreaks havoc on just about everything.

Some of the decision criteria may be driven by politics. There may be entities that require control over a security boundary; one way to do that is to provide them with their own domain. One example would the US government, where it is not uncommon for a department to have its own forest, and the constituent agencies have their own domain. Aside from politics, the technical rationale for this is not always compelling. Before Windows 2008, some things such as password policies may have required their own domain. One technical driver may be that another domain wants to use an Active Directory functional domain level that is currently unavailable if they were consolidated in a single domain.

Some people are of the opinion that some types of business units are candidates for separate domains, such as wholly-owned subsidiaries where the strategy is to eventually spin it off into a separate company. Or if regulatory requirements specified a separation of concerns, such as if there were a business unit that were subject to strict regulatory or financial controls, or if a business unit were a not-for-profit foundation.

Share:
12,767

Related videos on Youtube

ysakiyev
Author by

ysakiyev

Updated on September 18, 2022

Comments

  • ysakiyev
    ysakiyev almost 2 years

    I have a an organization having HQ(about 150 users) in one city and 16 branches (high schools, 300-400 users each) each in different city.

    What I have to do is create a domain(s) in AD for corporate network.

    I was suggested to do the following:

    • create OU for each school, and delegate administrative control to local admin.
    • create site for each school and control replications(for ex. replicate at night).
    • have 1 working DC and 1 duplicate(backup) DC for redundancy in each location(school)

    My question is

    • Do I need to create a child domain for each location like city1.school.org, city2.school.org and so on? And what would be the benefit of it?

    I was said that it would create more headache and it more depends on logical structure of organization rather than physical. Howerver, I would like to hear pros and cons of it and in what cases it is more suitable.

  • Bret Fisher
    Bret Fisher almost 12 years
    Great summary. The main reason for going RODC is a lack of physical security to the DC, but certainly not required. To summarize Simon: start everything simple, 1 domain, 1 DC per site, and only add complexity when required. I've run single domains on much bigger orgs then yours and simple is key to the health of AD. Note that I would advocate only 1 DC per site (and if you are limited by budget, you can get away with ADDS role sharing with other server roles) because what's the chances of the DC AND the WAN link being down? In todays landscape, when WAN is down, not much else works anyway.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

GPO WMI filter not excluding computers
Powershell - check if all users in a specific OU are disabled, disable if not
(GPO) Set AD-User as local admin on all PCs in specific OU
How to reference a Domain Controller out of the Local Network?
Cant find "Read Lockout Time" and "Write Lockout Time" for delegation on OU
PowerShell script that should find disabled users that are not in a specific OU outputs users from that OU as well
Change AD users attributes via Power Shell script
PowerShell - finding users who are Inactive AND not disabled
How can I create Organizational Units recursively on Powershell?
PowerShell - Finding all of users' group memberships and kicking it out of them